<html>
<head><meta charset="utf-8"><title>Dependency confusion attack · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Dependency.20confusion.20attack.html">Dependency confusion attack</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="225929561"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Dependency%20confusion%20attack/near/225929561" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Dependency.20confusion.20attack.html#225929561">(Feb 10 2021 at 23:41)</a>:</h4>
<p>fun thread: <a href="https://users.rust-lang.org/t/dependency-confusion-attack-may-be-applicable-to-alternative-registries/55389">https://users.rust-lang.org/t/dependency-confusion-attack-may-be-applicable-to-alternative-registries/55389</a></p>



<a name="226012381"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Dependency%20confusion%20attack/near/226012381" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Dependency.20confusion.20attack.html#226012381">(Feb 11 2021 at 15:56)</a>:</h4>
<p>I saw this posted on Reddit earlier. The attack is brilliant, one of those simple-but-genius things like SSLstrip.<br>
It seems successfully attacking Cargo is a lot harder than the other package managers.</p>



<a name="226083347"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Dependency%20confusion%20attack/near/226083347" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Dependency.20confusion.20attack.html#226083347">(Feb 12 2021 at 01:34)</a>:</h4>
<p>yeah that was really good to see in the thread</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>